Ukraine Mounts Investigation of Kiev Airport Cyberattack

Ukrainian officials earlier this week said they had launched a probe into the source of a cyberattack that targeted the Boryspil International Airport in Kiev.

The attack may be related to the BlackEnergy malware attacks that recently targeted Ukrainian infrastructure facilities, apparently from a source inside Russia.

The Computer Emergency Response Team of Ukraine (CERT-UA) on Monday warned system administrators to be on the alert for the presence of BlackEnergy malware.

Links to Utility Attacks

The evidence shows a clear link to the BlackEnergy malware that took down utility companies and other targets in recent months, Robert Lipovsky, senior malware researcher at
Eset North America, told TechNewsWorld.

The methodology often involves a spearphishing email, decoy document, or combination of both, according to Eset.

"After analyzing the information that has been made available by affected power companies, researchers and the media it is clear that cyber attacks were directly responsible for power outages in Ukraine," noted John Hultquist, director of cyberespionage analysis at iSight Partners.

The attack on the Prykarpattyaoblenergo utility in the Western Ukraine was a "milestone" because it was the first major cyberattack to have a substantial effect on a civilian population, according to iSight. The malware intrusion and subsequent denial-of-service attack resulted in an outage that impacted at least 80,000 customers.

The Sandworm Team, a group that has been targeting various entities around the world -- including NATO, the European Union, and various telecommunications and energy sectors -- was responsible for the attack, according to iSight Partners.

The Sandworm Team
has a history of targeting Ukrainian government officials, members of the EU and NATO. An attack in 2014 was linked to the use of zero-day exploit of CVE-2014-4114, a vulnerability Microsoft subsequently patched.

Breaking Down the Methodology

Researchers typically use several markers to discern the source of a cyberattack, noted Wes Widner, director of threat intelligence and machine learning at
Norse.

One method is to analyze the command-and-control servers the malware attackers use, he told TechNewsWorld. Other methods include analyzing code similarities, strings found in the file, and general organization of the attack.

In this case, the Ukrainian officials determined that the C2 servers originated in Russia, Widner said.

Targeting an airport's IT network potentially could cause lasting damage, because airplanes are "fly-by-wire," and a disruption that affects the air traffic control system could lead to accidents during takeoff or landing, or a mid-air collision, Widner said.

"Moreover, controlling an airport's network can also have ramifications outside the airport, since airport instruments are often used by weather forecasters," he explained. "My guess is that the Ukraine either dodged a bullet, or else the attacker tipped their hand in order to let the Ukrainian government know how vulnerable they are."

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.